In chapter 8 we look at Controls specifically designed for the Information Systems Function.
COBIT
(What is this?) Control Objectives for Information and Related Technology (COBIT) is a control framework for IT. It is published by the IT Governance Institute to provide guidance concerning IT governance.
IT resources:
Data - objects in their widest sense
Application systems - the sum of manual and programmed procedures reflection business processes
Facilities - all resources used to house and support information systems
People - staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services
COBIT's definition of Control:
The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. (Notice again like COSO's and ERM, the definition includes the achievement of objectives).
Link to an article found on the COBIT website about the best practices in network security in 2007: http://www.computerpartner.nl/article.php?news=int&id=4634
Define, what is this?
Types of Organizational structures for ISF:
Centralized
Decentralized
Functional
Matrix
Project
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains:
Planning and Organization
Process#1: Establish strategic vision
Process#2: Develop tactics to realize strategic vision
Acquisition and Development
Process#3: Identify automated solutions
Process#4: Develop and Acquire IT solutions
Process#5: Integrate IT solutions into operations
Process#6: Manage change to existing IT systems
Delivery and Support
Process#7: Deliver required IT services
Process#8: Ensure security and continuous service
Process#9: Provide support services
Monitoring
Process#10: Monitor operations
Segregation of Duties:
Segregating Events Processing:
Segregating Information Systems Functions:
Controlling Information Systems: IT Processes:
In chapter 8 we look at Controls specifically designed for the Information Systems Function.COBIT
(What is this?) Control Objectives for Information and Related Technology (COBIT) is a control framework for IT. It is published by the IT Governance Institute to provide guidance concerning IT governance.IT resources:
COBIT's definition of Control:
The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. (Notice again like COSO's and ERM, the definition includes the achievement of objectives).
Link to an article found on the COBIT website about the best practices in network security in 2007: http://www.computerpartner.nl/article.php?news=int&id=4634
Link to a lengthy document that describes IT control objectives for Sarbanes-Oxley and maps COBIT to COSO:
http://www.itgi.org/Template_ITGI.cfm?Section=Security,_Control_and_Assurance&CONTENTID=9857&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Information Systems Function (ISF):
Define, what is this?Types of Organizational structures for ISF:
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).
COBIT Control Process Domains:
Segregation of Duties:
Segregating Events Processing:
Segregating Information Systems Functions:
Personnel control Plans: